In January, Colorado lawmakers introduced a proposal to make operating systems collect users’ ages and pass them to app developers. The bill, SB26-051, had clearly been designed for commercial platforms like iOS and Android — one of numerous plans to age-gate the internet through users’ devices. It was intended to provide information that would let developers disable age-inappropriate experiences for kids. But as it made the rounds online, Linux laptop maker Carl Richell read the proposal with dismay.
Carl Richell is the founder and CEO of Dever-based System76, which also develops the Pop!_OS Linux distribution. The law, he realized, would likely apply to his own small business. Without the resources of a company like Apple and Google, complying with Colorado’s bill would be a major logistical headache. More broadly, Richell believed it would betray the principles of open source and limit its potential. Open source is “the best way to learn computing,” he told The Verge. “There is nothing like learning from example, and the Linux desktop is a free, open-source example of how to build an entire operating system.” A system that can restrict how children use it — by blocking their ability to interact with certain apps or denying them root access, both possible outcomes of an age-gating system — “breaks that.”
Richell began working with state lawmakers. He spent weeks pushing for changes and sharing updates online. On April 23rd, he appeared before a Colorado House of Representatives committee meeting to make his case. “Everyone should have access to the ability to create with a computer,” Richell testified. “Open-source software makes that possible. It ensures that everyone, regardless of age or background, can learn, experiment, and build at the most fundamental level.” In its original form, the bill, he warned, “unintentionally swept that world into its scope.”
“We have created a template that I hope other legislatures adopt.”
His persistence paid off. On May 1st, SB26-051 passed with an exemption he’d pushed for — excluding open-source operating systems like Linux from its rules. “We have created a template that I hope other legislatures adopt,” Richell told The Verge.
Richell’s brush with age verification laws ended well. In the larger world of open source, though, they remain a hot topic. As several US states are debating and enacting rules similar to Colorado’s, some open-source developers are still trying to figure out how to respond — or whether they need to. Others are openly thumbing their noses at the new rules. And some, like Richell, are trying to help lawmakers understand their plight.
Concern over how Linux would deal with age-gating kicked into high gear late last year when California passed AB 1043. Under state law, operating systems and app stores must collect users’ ages during device setup starting January 1st, 2027. Open-source developers and users were left wondering how the law would be applied to them, or if it even could be.
The law posed practical challenges. Many open-source projects are volunteer-run and lack the funding and resources that big tech companies have to roll out age verification (also referred to as “age assurance” or “age attestation”). And the nature of open-source software makes the process even trickier. If an open-source developer does add the necessary age-gating tech, someone else can just create a fork of the software that strips out those measures, and if there’s a legal crackdown, it’s not necessarily clear who’s liable.
On top of these difficulties, age verification is at odds with the ethos of many open-source projects, which are often designed to be maximally customizable, minimally invasive, and to avoid collecting user data. Developers may now find themselves forced to choose between respecting users’ privacy preferences and complying with the law.
“This is security theater, not improved child safety.”
“Protecting children online is absolutely important,” Michael Dolan, SVP of strategic programs at the Linux Foundation, told The Verge. “However, age verification mandates imposed on open source systems create new privacy risks while remaining easily circumvented. This is security theater, not improved child safety.”
California is far from the only place where this issue comes up. Colorado’s bill, which now sits on the governor’s desk, was modeled on California’s. So is HB4140, currently under consideration in Illinois. New York’s S8102A, currently in committee, would require age assurance measures on “any desktop, laptop, smartphone, tablet, or other device” that can access content on the internet.
Some developers haven’t yet announced what, if anything, they’re going to do. Jon Seager, VP of engineering at Ubuntu developer Canonical, responded to AB 1043 in a blog post on March 4th, stating, “Canonical is aware of the legislation and is reviewing it internally with legal counsel, but there are currently no concrete plans on how, or even whether, Ubuntu will change in response.”
Developers at other distros are discussing ways to comply while compromising privacy as little as possible. For instance, Fedora Project leader Jef Spaleta shared a comment on the Fedora forums in February suggesting a “local API” might be the easiest solution, or adding a new “age” field to the existing system for mapping device IDs to usernames.
Leading Linux distributions like Ubuntu and Fedora could establish a precedent for how other distros respond to these bills, but some developers are trying to avoid compliance altogether, out of a mix of confusion and defiance.
The developers of open-source OS MidnightBSD, for instance, posted a significantly more adversarial response on X in February: “Until we have a better plan, we modified our license to exclude residents of California from using MidnightBSD for desktop use, effective January 1, 2027.” There’s nothing technically stopping Californians from downloading and using it anyway, but by formally banning access, the developers hope to avoid liability without changing their OS for the time being.
Some developers are holding off because they’re not based out of California or even the US. “As we’re based in Ireland (both our company and ourselves personally) and don’t have any physical presence or nexus in California, there’s a possibility that this law may not be realistically enforceable,” said Artyom Zorin, CEO and cofounder of Zorin OS, in a March forum post. “Last time I checked, California law does not (yet) apply where I live,” said one of the developers of Garuda Linux, taking a similar stance. “Garuda Linux will continue to comply with local regulations in Finland and Germany (where the servers are hosted, and the donation funds are held).”
Some developers are loudly, openly defying the law. Ageless Linux, which describes itself as “software for humans of indeterminate age,” is a conversion script for Debian that replaces the existing “birthDate” field in the user database with “a stub age verification API that returns no data.” Created in protest of the new laws, it doesn’t record any age for any user. In addition to highlighting how easy it is to bypass age check measures in Linux, developer John McCardle is issuing a challenge to regulators. “The question is not whether this is legal,” the Ageless Linux site says. “The question is whether anyone wants to spend the State of California’s money suing a person who handed a child a Linux USB drive.”
McCardle makes it easy for users to find out for themselves, laying out detailed instructions for distributing Ageless Linux to children (install Debian on a computer, run the Ageless Linux script, hand the computer to the child). The project’s website even mentions plans for an “Ageless Device” that would be a “sub-$15 single-board computer” running Ageless Linux, along with an ageless app store.
McCardle also points out that bills like AB 1043 don’t need to be enforced to have an impact, stating that AB 1043 “works by making small developers afraid. It works because the cost of defending against even a frivolous AG action exceeds the entire annual budget of most open-source projects.” He also says on the project’s website that he would frame the receipt if he was actually fined for violating AB 1043.
Many privacy advocates categorically oppose age verification laws on privacy and security grounds. “Open source exemptions reflect a better understanding of how these operating systems are developed and distributed, but they do not address the fundamental problem: There are more effective and less invasive ways to protect children online than centralized, easily bypassed age verification measures,” said the Linux Foundation’s Michael Dolan.
But with the extra complications that open-source software poses, Carl Richell and others hope at a minimum, lawmakers will offer carveouts for it. “SB51 is about identifying who’s a kid in a closed ecosystem,” he said. “Applying that broadly can push age verification into open systems that were never built to collect that kind of information in the first place.”
Now, under the law’s final text, age attestation rules won’t apply to anyone making or providing an “operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software without any platform-imposed technical or contractual restrictions imposed by the provider or developer on installing all modified versions.” Richell says that it’s tied to “user rights inherent in open source software,” while avoiding covering projects that “don’t align with the spirit of open source.”
Richell explained that the sponsors of Colorado’s age attestation bill invited community members to suggest changes to the bill, most of which were included in amendments that passed in committee on April 23rd. “That kind of process may not happen everywhere, but the general approach can translate,” Richell says. “Many of these bills are written without a deep understanding of how open-source software is developed and distributed. When developers and users engage early and explain the mechanics, it helps policymakers see where broad requirements could create unintended consequences.”
In his announcement about Zorin OS’s age verification stance, Zorin encouraged users to “take a few minutes out of your day to contact your local representatives and ask them to oppose invasive operating system-level age verification.” Short of blocking the laws entirely, he considers a carveout the only reasonable solution.
“The more invasive the age verification measures, the more likely users are to circumvent them.”
“We don’t see any other way these age verification laws could feasibly work other than to exempt open source operating systems entirely,” Zorin told The Verge. “In the worst-case scenario where all operating systems must legally include age verification by default, Linux users could simply remove or overwrite the age verification components in their systems to circumvent any such checks. The more invasive the age verification measures, the more likely users are to circumvent them in this way. It is up to lawmakers to make the effort to understand this reality.”
And if open-source exemptions become commonplace, they could create another reason to use Linux. The platform has already surged among users on Steam in recent months, possibly bolstered by Microsoft ending support for Windows 10 late last year. Zorin boasted that since its release in October, Zorin OS 18 has seen nearly 4 million downloads, over 78 percent from devices running Windows and macOS.
“In a world where governments and big tech companies are increasingly exerting control over our own devices, we’re seeing more interest than ever in switching to more user-respecting alternatives,” he said. “If more and more restrictive measures are legally mandated on mainstream consumer tech, we’re likely to see Linux adoption continuing to break records.”
